- u_off-by-one-write-in-XListExtensions.patch

* fixes off-by-one write in XListExtensions (bsc#1102062, CVE-2018-14599)
- u_out-of-boundary-write-in-XListExtensions.patch
  * fixes out of boundary write in XListExtensions (bsc#1102068, CVE-2018-14600)
- u_crash-on-invalid-reply-in-XListExtensions.patch
  * crash on invalid reply in XListExtensions (bsc#1102073, CVE-2018-14598)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=45

libX11.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com
+
+- u_off-by-one-write-in-XListExtensions.patch
+  * fixes off-by-one write in XListExtensions (bsc#1102062, CVE-2018-14599)
+- u_out-of-boundary-write-in-XListExtensions.patch
+  * fixes out of boundary write in XListExtensions (bsc#1102068, CVE-2018-14600)
+- u_crash-on-invalid-reply-in-XListExtensions.patch
+  * crash on invalid reply in XListExtensions (bsc#1102073, CVE-2018-14598) 
+
 -------------------------------------------------------------------
 Thu Mar 15 09:01:19 UTC 2018 - msrb@suse.com
 

libX11.spec

@@ -36,6 +36,12 @@ Patch9:         p_xlib_skip_ext_env.diff
 Patch15:        en-locales.diff
 # PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8.
 Patch16:        u_Use-flexible-array-member-instead-of-fake-size.patch
+# CVE-2018-14599
+Patch1102062:   u_off-by-one-write-in-XListExtensions.patch
+# CVE-2018-14600
+Patch1102068:   u_out-of-boundary-write-in-XListExtensions.patch
+# CVE-2018-14598
+Patch1102073:   u_crash-on-invalid-reply-in-XListExtensions.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  autoconf >= 2.60
@@ -145,6 +151,9 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
 %patch9 -p0
 %patch15 -p0
 %patch16 -p1
+%patch1102062 -p1
+%patch1102068 -p1
+%patch1102073 -p1
 
 %build
 # Got patches which change auto*files

u_crash-on-invalid-reply-in-XListExtensions.patch

@@ -0,0 +1,46 @@
+From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
+From: Stefan Dirsch <sndirsch@suse.de>
+Date: Tue, 14 Aug 2018 11:46:40 +0200
+Subject: [PATCH] crash on invalid reply in XListExtensions
+References: bsc#1102073 CVE-2018-14598
+
+If the server sends a reply in which even the first string would
+overflow the transmitted bytes, list[0] will be set to NULL and
+a count of 0 is returned.
+
+If the resulting list is freed with XFreeExtensionList later on,
+the first Xfree call:
+
+    Xfree (list[0]-1)
+ turns into
+    Xfree (NULL-1)
+
+which will most likely trigger a segmentation fault.
+
+I have modified the code to return NULL if the first string would
+overflow, thus protecting XFreeExtensionList later on.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/ListExt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/ListExt.c b/src/ListExt.c
+index 6537c4dc..ece9ba31 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -83,6 +83,11 @@ char **XListExtensions(
+ 		    length = (unsigned char) *ch;
+ 		    *ch = '\0'; /* and replace with null-termination */
+ 		    count++;
++		} else if (i == 0) {
++		    Xfree(list);
++		    Xfree(ch);
++		    list = NULL;
++		    break;
+ 		} else
+ 		    list[i] = NULL;
+ 	    }
+-- 
+2.16.4
+

u_off-by-one-write-in-XListExtensions.patch

@@ -0,0 +1,67 @@
+From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001
+From: Stefan Dirsch <sndirsch@suse.de>
+Date: Mon, 23 Jul 2018 14:26:05 +0200
+Subject: [PATCH] off-by-one write in XListExtensions
+References: bsc#1102062 CVE-2018-14599
+
+The function XListExtensions is vulnerable to an off-by-one override on
+malicious server responses.
+
+The server reply consists of extension names consisting of a length byte
+followed by actual string, which is not NUL-terminated.
+
+While parsing the response, the length byte is overridden with '\0',
+thus the memory area can be used as storage of C strings later on. To
+be able to NUL-terminate the last string, the buffer is reserved with
+an additional byte of space.
+
+For a boundary check, the variable chend (end of ch) was introduced,
+pointing at the end of the buffer which ch initially points to.
+Unfortunately there is a difference in handling "the end of ch".
+
+While chend points at the first byte that must not be written to,
+the for-loop uses chend as the last byte that can be written to.
+
+Therefore, an off-by-one can occur.
+
+I have refactored the code so chend actually points to the last byte
+that can be written to without an out of boundary access. As it is not
+possible to achieve "ch + length < chend" and "ch + length + 1 > chend"
+with the corrected chend meaning, I removed the inner if-check.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/ListExt.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/src/ListExt.c b/src/ListExt.c
+index 7fdf9932..8f344ac0 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -74,19 +74,15 @@ char **XListExtensions(
+ 	    /*
+ 	     * unpack into null terminated strings.
+ 	     */
+-	    chend = ch + (rlen + 1);
++	    chend = ch + rlen;
+ 	    length = *ch;
+ 	    for (i = 0; i < rep.nExtensions; i++) {
+ 		if (ch + length < chend) {
+ 		    list[i] = ch+1;  /* skip over length */
+ 		    ch += length + 1; /* find next length ... */
+-		    if (ch <= chend) {
+-			length = *ch;
+-			*ch = '\0'; /* and replace with null-termination */
+-			count++;
+-		    } else {
+-			list[i] = NULL;
+-		    }
++		    length = *ch;
++		    *ch = '\0'; /* and replace with null-termination */
++		    count++;
+ 		} else
+ 		    list[i] = NULL;
+ 	    }
+-- 
+2.16.4
+

u_out-of-boundary-write-in-XListExtensions.patch

@@ -0,0 +1,41 @@
+From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001
+From: Stefan Dirsch <sndirsch@suse.de>
+Date: Mon, 23 Jul 2018 14:30:54 +0200
+Subject: [PATCH] out of boundary write in XListExtensions
+References: bsc#1102068 CVE-2018-14600
+
+The length value is interpreted as signed char on many systems
+(depending on default signedness of char), which can lead to an out of
+boundary write up to 128 bytes in front of the allocated storage, but
+limited to NUL byte(s).
+
+Casting the length value to unsigned char fixes the problem and allows
+string values with up to 255 characters.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/ListExt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/ListExt.c b/src/ListExt.c
+index 8f344ac0..6537c4dc 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -75,12 +75,12 @@ char **XListExtensions(
+ 	     * unpack into null terminated strings.
+ 	     */
+ 	    chend = ch + rlen;
+-	    length = *ch;
++	    length = (unsigned char) *ch;
+ 	    for (i = 0; i < rep.nExtensions; i++) {
+ 		if (ch + length < chend) {
+ 		    list[i] = ch+1;  /* skip over length */
+ 		    ch += length + 1; /* find next length ... */
+-		    length = *ch;
++		    length = (unsigned char) *ch;
+ 		    *ch = '\0'; /* and replace with null-termination */
+ 		    count++;
+ 		} else
+-- 
+2.16.4
+